JFrog Xray

Get Started with the JFrog Platform


Subscription Information

This feature is supported on the Cloud (SaaS) platform with an Enterprise X or Enterprise+ license, and on the Self-Hosted platform with a Pro X, Enterprise X , or Enterprise+ license.

JFrog Xray is a universal software composition analysis (SCA) solution that natively integrates with Artifactory, giving developers and DevSecOps teams an easy way to proactively identify vulnerabilities on open source and license compliance violations, before they manifest in production releases.

Main Features and Functionality

  • Early Detection: Xray identifies security vulnerabilities and license violation as early as the dependency declaration stage and blocks builds with security issues from development. Automated and continuous governance and auditing of software artifacts and dependencies throughout the software development lifecycle from code to production.

  • Self-hosted, Cloud, Hybrid or Multi-Cloud Solution: Xray is available self-hosted (self-managed) and on the cloud. Xray Cloud is hosted on your choice of Amazon Web Services, Google Cloud Platform, or Microsoft Azure, allowing you to maintain infrastructure with automated server backups, free updates and guaranteed uptime.

  • Deep Recursive Scanning: Xray recursively scans artifacts, builds and Release Bundles in your system, drilling down to analyze even the smallest binary component that affects your software. For example, when analyzing a Docker image, if Xray finds that it contains a Java application it will also analyze all the .jar files used in this application.

  • Continuous Impact Analysis: Xray analyzes how an issue in one component affects all others in your company and displays the chain of impact in a component graph, allowing you to have a clear understanding of the impact one component has on another. It is continuously updated with new security vulnerabilities, performing an impact analysis to determine all artifacts affected by the issue.

  • Native Integration with Artifactory: Xray is the only security scanning tool that is natively integrated with JFrog Artifactory. As a complementary product to JFrog Artifactory, Xray has access to the wealth of metadata Artifactory stores which, combined with deep recursive scanning, puts Xray in a unique position to analyze the relationships between binary artifacts and provide radical transparency into your component architecture to reveal the impact that a vulnerability in one component has on any other.

  • Vulnerability Database: Xray comes with JFrog’s vulnerabilities database, to which integrates data from Vulnerability databases and security advisories including NVD, GitHub, Ubuntu, Debian, Red Hat, PHP and enriched by the JFrog Security Research team to give more specific and detailed information on the vulnerability, its use cases and options for mitigations.

  • Custom API-Driven Automation: Through an open REST API, Xray lets you define a custom regimen of automated analysis for all components in your system.Introduction to the Xray REST APIs

  • Dependencies Scan: Scan your sources' dependenciesusing the JFrog CLI for vulnerabilities and licenses violations.Xray Dependencies Scan

  • On-Demand Binary Scan: Point to a binary in your local file system and receive a report that contains a list of vulnerabilities and licenses for that binary using the JFrog CLI.Xray On-Demand Binary Scan

  • SBOM: Enable DevSecOps engineers to understand and analyze the dependencies of their components. To learn more, see Xray SBOM ReportXray SBOM Report

  • JFrog Security CVE Research and Enrichment: JFrog's security research team helps you with enhanced analysis on CVE findings in a way that allows you to focus on the most important issues with the capability of finding the best resources invested in fixing them. For more information, see JFrog Security CVE Research and EnrichmentJFrog Security CVE Research and Enrichment

  • Component's Operational Risk: Provides you with additional data on OSS components that will help you gain insights into the risk level of the components in use. For more information, see Components Operational RiskComponents Operational Risk

  • JFrog Advanced Scans: Includes IaC security, secrets detection, contextual analysis and detection of OSS library and services misconfiguration or misuse. For more information, see JFrog Advanced SecurityJFrog Advanced Security

  • Universal Artifact Analysis: In line with JFrog’s universal approach, JFrog Xray performs artifact analysis for all major package formats across the CI/CD pipeline. Xray understands each package type, knows how to unpack it and what every underlying layer contains.

Xray currently supports the following package formats with new formats added regularly.




Xray scans and indexes your Go Registries, Go Modules and Go packages including recursive analysis, component graph integration and providing detailed metadata information.


Xray now can scan Conda packages that contain python packages and their dependencies for security vulnerabilities, license compliance and operational risk.


Xray recursively scans your PHP Composer packages in your registries, Zip files or Docker/Containers whether they are local or remote. Xray also checks for any dependencies in your PHP builds.


Scan your Maven project dependencies using Xray and view vulnerabilities directly from within the IntelliJ IDE, with the JFrog IntelliJ Maven Plugin.IDE Integration


Xray scans your Bower packages and performs impact analysis to keeps all components in your organization safe from any violations.


Recursively scan the different layers of your Gradle packages and their dependencies, and use Xray's component graph to display the impact of any detected issues on your services and applications.


Xray scans your Ivy packages and performs impact analysis to keeps all components in your organization safe from any violations.


Recursively scan your SBT packages and identify all components in your organization that are affected by a vulnerability, and monitor components for new issues and vulnerabilities that are detected.


Xray identifies each Javascript file within your npm packages and performs matching and analysis on each one to ensure that your npm application is safe to use.

Learn more about the npm integration with Xray (npm audit).npm Registry


Xray scans NuGet packages, recursively going through the layers of dependencies to discover issues and vulnerabilities at any depth.


Xray recursively opens the different layers of your Python packages and their dependencies, discovering any issues and vulnerabilities that may affect your organization.


Xray identifies every component contained within every layer of your Docker images. This includes identifying the packages deployed on the OS in the base image layer.


Xray identifies the Debian packages deployed on your Debian or Ubuntu OS that’s running on the base layer of your Docker containers. Each component is scanned for issues and vulnerabilities giving you maximum visibility into your software dependencies.


Xray identifies the RPM packages deployed on your RedHat or CentOS OS that’s running on the base layer of your Docker containers. Each component is scanned for issues and vulnerabilities giving you maximum visibility into your software dependencies.


Xray provides transparency into your software architecture, recursively scanning RubyGems packages through all levels of dependency to discover issues and vulnerabilities.


Xray now scans and indexes your Alpine Repositories and Alpine Packages, including recursive analysis, component graph integration, and providing detailed metadata information.


Xray now scans Conan Packages and Conan Builds for issues and vulnerabilities. Xray identifies these issues in the conanmanifest.txt file. For more information, see Conan and C/C++ Support in Xray.Conan and C/C++ Support in Xray


Xray now scans C/C++ dependencies in C/C++ builds to identify vulnerabilities in these builds. For more information, see Conan and C/C++ Support in Xray.Conan and C/C++ Support in Xray

Google Distroless Images

Xray now can scans Google Distroless Images that only contain your application and its runtime dependencies.


Xray has been enhanced to perform scans on Rust Cargo packages.


Xray is now capable of conducting scans on CRAN packages (R packages) to detect security vulnerabilities, ensure license compliance, and evaluate operational risks.